claudetools/clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md

Kittle — Joshua Sutherland AD onboarding + GuruRMM site setup

Date: 2026-05-08 Client: Kittle Design & Construction LLC (Syncro 32460233, Tenant kittle.lan)

User

• User: Howard Enos (howard)
• Machine: Howard-Home + onsite at Kittle 11:30 AM PT
• Role: tech

Session Summary

Created Active Directory user joshua.sutherland at Kittle Design & Construction's domain (kittle.lan) for new employee Joshua Sutherland, who is taking over Wrex's existing workstation. Coordinated the onsite via Syncro ticket #32263 with an 11:30 AM PT scheduled appointment. Vaulted the Kittle GuruRMM site enrollment key (the Kittle GuruRMM client + site were created today) to enable agent deployment to Kittle endpoints going forward. Documented the working ScreenConnect command pattern (#!ps prefix required for PowerShell context) after Howard hit cmd-vs-PowerShell parsing errors.

Key Decisions

• Joshua's email field uses the existing M365 domain (joshua@kittlearizona.com) — Kittle's M365 cloud identity layer is on kittlearizona.com while their on-prem AD is kittle.lan. Email field on the AD user reflects M365, not the on-prem domain.
• Initial AD password set to Sutherland2026!, then reset onsite to Kota2020! per Howard's direction. Force-change-at-logon enabled.
• Local admin rights on Wrex's PC handled separately — Add-LocalGroupMember must run on Wrex's actual workstation, not on the DC (which doesn't have a local Administrators group; that command targets the local SAM, not the domain).
• Kittle is now a GuruRMM client. Howard installing agents on SERVER2021 + Wrex's PC during the onsite to begin RMM coverage.
• Saved feedback memory: Syncro appointment owner must be explicitly confirmed when creating tickets — don't auto-default to ticket's assigned tech, don't add additional attendees without explicit user direction.

Problems Encountered

• ScreenConnect command runner defaulted to cmd context, causing PowerShell syntax to fail. Resolved by prefixing scripts with #!ps to force PowerShell execution.
• Initial AD user creation had -AccountPassword $Kota2020! which PowerShell parsed as variable $Kota2020 (empty) followed by ! — ! cannot be part of a variable name. Resolved by setting $Password = ConvertTo-SecureString "Kota2020!" -AsPlainText -Force first, then referencing $Password.
• Add-LocalGroupMember on the DC failed with "Group Administrators was not found." — DCs use Builtin\Administrators (domain-wide), not a local SAM group. Resolved by deferring the local-admin step to when Howard is at Wrex's actual workstation.

Configuration Changes

Active Directory user created (kittle.lan domain)

Name:               Joshua Sutherland
SamAccountName:     joshua.sutherland
UserPrincipalName:  joshua.sutherland@kittle.lan
EmailAddress:       joshua@kittlearizona.com
Enabled:            true
ChangePasswordAtLogon: true
DistinguishedName:  CN=Joshua Sutherland,CN=Users,DC=kittle,DC=lan
Description:        Created 2026-05-08 by Howard for use on Wrex's machine

Password initially set to Sutherland2026!, then reset to Kota2020! per Howard's onsite preference (Set-ADAccountPassword -Identity joshua.sutherland -NewPassword $Pwd -Reset).

Kittle GuruRMM site (created today, agents pending)

Client:    Kittle Design & Construction LLC (id d8b08837-78e0-441e-b824-e0abbf0254ed, code KITTLE)
Site:      Main Office (id 851376d1-33be-46ee-9e48-be44767e4a0a, code SILVER-HAWK-7639)
Address:   2539 N Balboa Ave #125, Tucson AZ 85705
API key:   grmm_JA9bA45d7IGOf0bEifZnH9JjIBPOMZxq

Vaulted at clients/kittle/gururmm-site-main.sops.yaml (vault commit 6eb3414).

Syncro ticket created

• #32263 — "Joshua - set up account on Wrex's computer" — Onsite, Scheduled, Howard Enos
• Appointment id 5585387825 — 2026-05-08 11:30 AM - 1:00 PM PT
• Customer: Kittle Design & Construction LLC, contact_id null per global rule

Memory updated

• New: .claude/memory/feedback_syncro_appointment_owner.md — confirm appointment owner explicitly when creating tickets, don't add attendees silently.

Credentials & Secrets

Joshua Sutherland AD account (kittle.lan)

• Username: joshua.sutherland
• UPN: joshua.sutherland@kittle.lan
• Email: joshua@kittlearizona.com
• Password (current, after onsite reset): Kota2020!
• Force change at next logon: yes

Kittle GuruRMM Main Office site enrollment key (NEW today)

• API key: grmm_JA9bA45d7IGOf0bEifZnH9JjIBPOMZxq
• Vault: clients/kittle/gururmm-site-main.sops.yaml

Kittle SERVER2021 admin (FROM Syncro customer notes — needs vault migration)

• Username: administrator
• Password: AXman2Z
• Source: Syncro customer notes (plaintext exposure) — flag for vault migration. Same pattern as Horseshoe Management.

Kittle M365 Outlook accounts (FROM Syncro customer notes — also flagged)

• kittletucson@outlook.com / tick8800
• kittletucson2@outlook.com / Tick8800

Infrastructure & Servers

• Kittle domain: kittle.lan (NetBIOS: KITTLE)
• DC + file server: SERVER2021 (Syncro asset id 10584015)
• M365 tenant: kittlearizona.com
• Other Syncro asset: FRONTDESK (id 11122225)
• Wrex's workstation: hostname unknown — not in Syncro asset inventory. Discovery pending onsite.
• Office: 2539 N Balboa Ave #125, Tucson AZ 85705
• Primary contact: Kimberly Ross, admin@kittlearizona.com

Commands & Outputs

Working AD user creation script (run on DC via ScreenConnect with #!ps prefix)

#!ps
$Domain = Get-ADDomain
Write-Host "Domain: $($Domain.DNSRoot) ($($Domain.NetBIOSName))"

$Password = ConvertTo-SecureString "Sutherland2026!" -AsPlainText -Force
$UPN  = "joshua.sutherland@$($Domain.DNSRoot)"
$Path = "CN=Users,$($Domain.DistinguishedName)"

New-ADUser `
  -Name "Joshua Sutherland" `
  -GivenName "Joshua" -Surname "Sutherland" `
  -SamAccountName "joshua.sutherland" `
  -UserPrincipalName $UPN `
  -EmailAddress "joshua@kittlearizona.com" `
  -AccountPassword $Password `
  -Enabled $true `
  -ChangePasswordAtLogon $true `
  -Path $Path `
  -Description "Created 2026-05-08 by Howard for use on Wrex's machine"

Get-ADUser -Identity joshua.sutherland -Properties * |
  Select-Object SamAccountName, UserPrincipalName, EmailAddress, Enabled, DistinguishedName

Password reset (run on DC, ScreenConnect #!ps)

#!ps
$NewPassword = ConvertTo-SecureString "Kota2020!" -AsPlainText -Force
Set-ADAccountPassword -Identity "joshua.sutherland" -NewPassword $NewPassword -Reset
Set-ADUser -Identity "joshua.sutherland" -ChangePasswordAtLogon $true
Get-ADUser -Identity "joshua.sutherland" -Properties * |
    Select-Object SamAccountName, Enabled, PasswordLastSet, ChangePasswordAtLogon

Local admin add (run on Wrex's PC, NOT the DC)

#!ps
$DomainNetBIOS = "KITTLE"
$User = "$DomainNetBIOS\joshua.sutherland"
Add-LocalGroupMember -Group "Administrators" -Member $User
Get-LocalGroupMember -Group "Administrators" | Format-Table Name, ObjectClass, PrincipalSource

GuruRMM agent deployment (working command)

#!ps
$u='https://rmm-api.azcomputerguru.com/downloads/gururmm-agent-windows-amd64-latest.exe';
$d='C:\Windows\Temp\gururmm-agent.exe';
Invoke-WebRequest $u -UseBasicParsing -OutFile $d;
& $d install --server-url 'wss://rmm-api.azcomputerguru.com/ws' --api-key 'grmm_JA9bA45d7IGOf0bEifZnH9JjIBPOMZxq'

The #!ps prefix is required when running via ScreenConnect Commands tab — without it, ScreenConnect runs in cmd context and Invoke-WebRequest fails. URL itself returns HTTP 200 (verified, 3.95 MB exe).

Pending / Incomplete Tasks

Onsite (in progress 11:30 AM PT)

• Add KITTLE\joshua.sutherland to local Administrators group on Wrex's workstation (script ready — run on Wrex's PC)
• Install GuruRMM agent on SERVER2021 (PowerShell command ready)
• Install GuruRMM agent on Wrex's workstation (same command)
• Optionally: roll out GuruRMM agent to FRONTDESK and any other Kittle endpoints
• Bill the Syncro ticket (#32263) at end of onsite

Vault hygiene

• Migrate Kittle SERVER2021 admin password (administrator / AXman2Z) from Syncro plaintext customer notes to SOPS vault (clients/kittle/server2021.sops.yaml)
• Migrate the two Kittle Outlook accounts (kittletucson@outlook.com / kittletucson2@outlook.com) from Syncro notes to vault
• Strip those plaintext credentials from Syncro after vaulting (same exposure pattern as Horseshoe Management — flagged on 2026-05-06)

Joshua workstation tasks (onsite)

• Confirm Joshua has signed in successfully on Wrex's PC and changed his password at first logon
• Verify joshua.sutherland is a local admin on Wrex's PC (whoami /priv, or test elevated UAC prompt)
• Email setup if needed (M365 mailbox provisioning is separate from AD creation — Joshua may need a Kittle M365 license assigned)

Reference Information

Vault paths

• clients/kittle/gururmm-site-main.sops.yaml — GuruRMM site enrollment key (NEW today, vault commit 6eb3414)
• clients/kittle/m365-michael-sanchez.sops.yaml — existing M365 entry for Michael Sanchez

Syncro

• Customer ID: 32460233
• Customer name: Kittle Design & Construction LLC
• Ticket: #32263 (today's onsite)
• Direct link: https://computerguru.syncromsp.com/tickets/110024484

GuruRMM

• API: https://rmm-api.azcomputerguru.com
• Dashboard: https://rmm.azcomputerguru.com
• Kittle Main Office: site code SILVER-HAWK-7639, id 851376d1-33be-46ee-9e48-be44767e4a0a

Memory

• .claude/memory/feedback_syncro_appointment_owner.md — new today

Related work

• Cascades-of-Tucson session log for the same day: clients/cascades-tucson/session-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md

---

Onsite scheduled: 2026-05-08 11:30 AM - 1:00 PM PT (Syncro #32263, appointment id 5585387825) Resume: Confirm onsite tasks (local admin, GuruRMM agents) completed; bill the ticket; vault migration follow-up.